Among the many damning accusations against the newly freed Twitter Whistleblower Complaint, is the disturbing revelation that Twitter failed to seal off its production environment to protect against any potential insider threats in the wake of the January 6 attack on the US Capitol. Twitter’s former head of security Peter “Mudge” Zatko has accused Twitter of serious cybersecurity negligence in extensive new complaint filed with the Federal Trade Commission (FTC), the US Securities and Exchange Commission (SEC) and the Department of Justice. Among the allegations, which range from poor data protection to Federal Trade Commission violations, the complaint shows that Twitter failed to protect itself if one of its own employees went rogue.
This issue was discovered on January 6, after a violent mob attacked the US Capitol building. As a precaution, Zatko wanted to lock down Twitter’s internal systems and found that wasn’t an option.
Zatko said he asked the executive in charge of engineering how Twitter could seal off its production environment to protect it from any insider threats from employees who might have supported the insurgents. The complaint explains that Zatko did not want employees to access or potentially damage the production environment while the Capitol attack was underway.
What he found, however, was that such blocking was not merely difficult—it was allegedly impossible.
“All engineers had access,” the complaint said. “There was no logging of who entered the environment or what they did. When Mudge [Peiter Zatko] when asked what could be done to protect the integrity and stability of the service from a rogue or disgruntled engineer during this period of heightened risk, he learned that it was nothing. There were no logs, no one knew where the data lived or if it was critical, and all engineers had some form of critical access to the production environment,” the complaint states.
Twitter hired Zatko in late 2020 to lead the following security department high profile attack which compromised the Twitter accounts of several high-profile figures, including Joe Biden, Bill Gates and Elon Musk. During Zatko’s time at Twitter, the security professional claims he witnessed a company that lacked basic security controls and procedures and where about 5,000 people — or half of Twitter’s staff at the time — gained access to “sensitive live production systems and user data” to do their jobs.
This goes against standard engineering and security principles that typically block access to live production environments. Engineers at tech companies the size of Twitter would typically use staging environments and test data as opposed to live customer data. Twitter didn’t, Zatko found. Instead, he found employees building, testing and developing new software directly in production with active customer data and other sensitive information, he said. In addition, much of that access was not monitored or logged, the complaint states.
As a result of Twitter’s compromised security, Zatko says he was vulnerable to insider threats during the Capitol uprising.
The complaint also highlights how Twitter’s lack of logging can allow employees to take various actions without getting caught. Twitter’s issues around proper logging were already known thanks to the New York State Department of Financial Services (DFS) investigation into the July 15, 2020 hack into the Twitter accounts of cryptocurrency firms and other well-known figures. DFS had discovered that Twitter lacks adequate cybersecurity protections, including “adequate access control and identity management, as well as adequate security monitoring.”
The complaint also states that Twitter did not have a Chief Information Security Officer (CISO) during 2020. Hacking Twitter — then the largest hack of a social media platform in history. Zatko had noted this in the complaint as one of the ways Twitter was violating it 2011 FTC Consent Order. (The FTC order was issued after a series of other security incidents in 2009 allowed hackers to take administrative control of Twitter’s systems. Under the terms of the settlement with the FTC, Twitter was ordered to establish and maintain a comprehensive information security program, which will be evaluated by an external auditor.)
The complaint states that Twitter had neither a CISO nor an executive familiar with information security and privacy engineering when it was attacked in 2020 — just months before the Capitol attack. The company lost its previous security chief, Mike Convertino, in December 2019 after he left to join a cyber resilience firm, Arceo. Twitter didn’t appoint a replacement until late September 2020, when they hired him Rinky Sethi, previously from cloud data management company Rubrik, to serve as CISO. That meant Twitter spent much of the year until Jan. 6 without a chief information security officer.
Zatko later joined Twitter in November 2020 to head security.
In CISO’s absence, Parag Agrawal — then Twitter’s chief technology officer, now CEO — was the key decision-maker to fix the security vulnerabilities exposed by the 2020 Twitter hack, the complaint said.
Later, both Zatko and Seti were among those who left the company when Agrawal shook up Twitter’s executive leadership in January this year after taking over as CEO after Jack Dorsey’s November 2021 departure. Twitter then appointed Leah Kisner as CISO on an interim basis following Sethi’s departure.
Twitter dismissed Zatko’s whistleblowing as a “false narrative” that was “riddled with inconsistencies and inaccuracies” in statements made to the press — including those provided to TechCrunch.
Agrawal also has sent the same message in a memo to company officials included below.